Go Back   Carder.life > [en] International Forum > Carding News
Reload this Page New Meta information stealer distributed in malspam campaign

CARDER.MARKET - CARDING FORUM FOR PROFESSIONAL CARDERS


 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 01-14-2025, 03:44 PM
Artifact's Avatar

Artifact Artifact is offline
Administrator
Join Date: Jan 2024
Posts: 0
Default


A malspam campaign has been found distributing the new META malware, a new info-stealer malware that appears to be rising in popularity among cybercriminals.
META is one of the novel info-stealers, along with Mars Stealer and BlackGuard, whose operators wish to take advantage of Raccoon Stealer's exit from the market that left many searching for their next platform.
Bleeping Computer first reported about META last month, when analysts at KELA warned about its dynamic entrance into the TwoEasy botnet marketplace.
The tool is sold at $125 for monthly subscribers or $1,000 for unlimited lifetime use and is promoted as an improved version of RedLine.
New Meta malspam campaign
A new spam campaign seen by security researcher and ISC Handler Brad Duncan is proof that META is actively used in attacks, being deployed to steal passwords stored in Chrome, Edge, and Firefox, as well as cryptocurrency wallets.
The infection chain in the particular campaign follows the "standard" approach of a macro-laced Excel spreadsheet arriving in prospective victims' inboxes as email attachments.

META infection chain on the spotted campaign
The messages make bogus claims of fund transfers that are not particularly convincing or well-crafted but can still be effective against a significant percentage of recipients.

Email carrying the malicious Excel attachment
The spreadsheet files feature a DocuSign lure that urges the target to "enable content" required to run the malicious VBS macro in the background.

The DocuSign lure that entices users to enable content
When the malicious script runs, it will download various payloads, including DLLs and executables, from multiple sites, such as GitHub.
Some of the downloaded files are base64 encoded or have their bytes reversed to bypass detection by security software. For example, below is one of the samples collected by Duncan that has its bytes reversed in the original download.

DLL saved in reverse byte order
Eventually, the final payload is assembled on the machine under the name "qwveqwveqw.exe," which is likely random, and a new registry key is added for persistence.

New registry key and the malicious executable
A clear and persistent sign of the infection is the EXE file generating traffic to a command and control server at 193.106.191[.]162, even after the system reboots, restarting the infection process on the compromised machine.

Malicious traffic captured in Wireshark
One thing to note is that META modifies Windows Defender via PowerShell to exclude .exe files from scanning, to protect its files from detection.
 

Tags
NULL

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is On
Forum Jump




All times are GMT. The time now is 04:10 AM.

Contact Us - Carder.life - Archive - Top